Merge pull request #8748 from ministryofjustice/Update_221124_1

Update_221124_1
ministryofjustice · Nov 22, 2024 · d5711e4 · d5711e4
2 parents aa24d2d + 2a3b9cf
commit d5711e4
Show file tree

Hide file tree

Showing 2 changed files with 157 additions and 2 deletions.
diff --git a/terraform/environments/ppud/cloudwatch_alarms_windows.tf b/terraform/environments/ppud/cloudwatch_alarms_windows.tf
@@ -277,9 +277,9 @@ resource "aws_cloudwatch_metric_alarm" "low_disk_space_H_volume_rgvw027" {
   namespace           = "CWAgent"
   period              = "60"
   statistic           = "Average"
-  threshold           = "5"
+  threshold           = "3"
   treat_missing_data  = "notBreaching"
-  alarm_description   = "This metric monitors the amount of free disk space on the instance. If the amount of free disk space falls below 5% for 5 minutes, the alarm will trigger"
+  alarm_description   = "This metric monitors the amount of free disk space on the instance. If the amount of free disk space falls below 3% for 5 minutes, the alarm will trigger"
   alarm_actions       = [aws_sns_topic.cw_alerts[0].arn]
   dimensions = {
     InstanceId   = "i-00cbccc46d25e77c6"

diff --git a/terraform/environments/ppud/security_group.tf b/terraform/environments/ppud/security_group.tf
@@ -416,6 +416,84 @@ resource "aws_security_group_rule" "Primary-DOC-Server-Egress-2" {
 }
 
 
+resource "aws_security_group" "Live-DOC-Server" {
+  count       = local.is-preproduction == false ? 1 : 0
+  vpc_id      = data.aws_vpc.shared.id
+  name        = "Live-DOC-Server"
+  description = "Live-DOC-Server for DEV & PROD"
+
+  tags = {
+    Name = "${var.networking[0].business-unit}-${local.environment}"
+  }
+}
+
+resource "aws_security_group_rule" "Live-DOC-Server-Ingress" {
+  description       = "Rule to allow port 80 traffic inbound"
+  count             = local.is-preproduction == false ? 1 : 0
+  type              = "ingress"
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  cidr_blocks       = [data.aws_vpc.shared.cidr_block]
+  security_group_id = aws_security_group.Live-DOC-Server[0].id
+}
+
+resource "aws_security_group_rule" "Live-DOC-Server-Ingress-1" {
+  description       = "Rule to allow port 445 traffic inbound"
+  count             = local.is-preproduction == false ? 1 : 0
+  type              = "ingress"
+  from_port         = 445
+  to_port           = 445
+  protocol          = "tcp"
+  cidr_blocks       = [data.aws_vpc.shared.cidr_block]
+  security_group_id = aws_security_group.Live-DOC-Server[0].id
+}
+
+resource "aws_security_group_rule" "Live-DOC-Server-Ingress-2" {
+  description       = "Rule to allow port 3389 traffic inbound"
+  count             = local.is-preproduction == false ? 1 : 0
+  type              = "ingress"
+  from_port         = 3389
+  to_port           = 3389
+  protocol          = "tcp"
+  cidr_blocks       = [data.aws_vpc.shared.cidr_block]
+  security_group_id = aws_security_group.Live-DOC-Server[0].id
+}
+
+resource "aws_security_group_rule" "Live-DOC-Server-Egress" {
+  description       = "Rule to allow all traffic outbound"
+  count             = local.is-preproduction == false ? 1 : 0
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "all"
+  cidr_blocks       = [data.aws_vpc.shared.cidr_block]
+  security_group_id = aws_security_group.Live-DOC-Server[0].id
+}
+
+resource "aws_security_group_rule" "Live-DOC-Server-Egress-1" {
+  description       = "Rule to allow port 443 traffic outbound"
+  count             = local.is-preproduction == false ? 1 : 0
+  type              = "egress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.Live-DOC-Server[0].id
+}
+
+resource "aws_security_group_rule" "Live-DOC-Server-Egress-2" {
+  description       = "Rule to allow port 80 traffic outbound"
+  count             = local.is-preproduction == false ? 1 : 0
+  type              = "egress"
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.Live-DOC-Server[0].id
+}
+
+
 resource "aws_security_group" "Secondary-DOC-Server" {
   count       = local.is-preproduction == false ? 1 : 0
   vpc_id      = data.aws_vpc.shared.id
@@ -493,6 +571,83 @@ resource "aws_security_group_rule" "Secondary-DOC-Server-Egress-2" {
   security_group_id = aws_security_group.Secondary-DOC-Server[0].id
 }
 
+resource "aws_security_group" "Archive-DOC-Server" {
+  count       = local.is-preproduction == false ? 1 : 0
+  vpc_id      = data.aws_vpc.shared.id
+  name        = "Archive-DOC-Server"
+  description = "Archive-DOC-Server for DEV & PROD"
+
+  tags = {
+    Name = "${var.networking[0].business-unit}-${local.environment}"
+  }
+}
+
+resource "aws_security_group_rule" "Archive-DOC-Server-Ingress" {
+  description       = "Rule to allow port 80 traffic inbound"
+  count             = local.is-preproduction == false ? 1 : 0
+  type              = "ingress"
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  cidr_blocks       = [data.aws_vpc.shared.cidr_block]
+  security_group_id = aws_security_group.Archive-DOC-Server[0].id
+}
+
+resource "aws_security_group_rule" "Archive-DOC-Server-Ingress-1" {
+  description       = "Rule to allow port 445 traffic inbound"
+  count             = local.is-preproduction == false ? 1 : 0
+  type              = "ingress"
+  from_port         = 445
+  to_port           = 445
+  protocol          = "tcp"
+  cidr_blocks       = [data.aws_vpc.shared.cidr_block]
+  security_group_id = aws_security_group.Archive-DOC-Server[0].id
+}
+
+resource "aws_security_group_rule" "Archive-DOC-Server-Ingress-2" {
+  description       = "Rule to allow port 3389 traffic inbound"
+  count             = local.is-preproduction == false ? 1 : 0
+  type              = "ingress"
+  from_port         = 3389
+  to_port           = 3389
+  protocol          = "tcp"
+  cidr_blocks       = [data.aws_vpc.shared.cidr_block]
+  security_group_id = aws_security_group.Archive-DOC-Server[0].id
+}
+
+resource "aws_security_group_rule" "Archive-DOC-Server-Egress" {
+  description       = "Rule to allow all traffic outbound"
+  count             = local.is-preproduction == false ? 1 : 0
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "all"
+  cidr_blocks       = [data.aws_vpc.shared.cidr_block]
+  security_group_id = aws_security_group.Archive-DOC-Server[0].id
+}
+
+resource "aws_security_group_rule" "Archive-DOC-Server-Egress-1" {
+  description       = "Rule to allow port 443 traffic outbound"
+  count             = local.is-preproduction == false ? 1 : 0
+  type              = "egress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.Archive-DOC-Server[0].id
+}
+
+resource "aws_security_group_rule" "Archive-DOC-Server-Egress-2" {
+  description       = "Rule to allow port 80 traffic outbound"
+  count             = local.is-preproduction == false ? 1 : 0
+  type              = "egress"
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.Archive-DOC-Server[0].id
+}
+
 resource "aws_security_group" "PPUD-Database-Server" {
   count       = local.is-development == true ? 1 : 0
   vpc_id      = data.aws_vpc.shared.id